NFSD: Handle new xprtsec= export option

+48 -3

fs/nfsd/export.c

··· 439 439 return -EINVAL; 440 440 } 441 441 return 0; 442 - 443 442 } 444 443 445 444 #ifdef CONFIG_NFSD_V4 ··· 545 546 secinfo_parse(char **mesg, char *buf, struct svc_export *exp) { return 0; } 546 547 #endif 547 548 549 + static int xprtsec_parse(char **mesg, char *buf, struct svc_export *exp) 550 + { 551 + unsigned int i, mode, listsize; 552 + int err; 553 + 554 + err = get_uint(mesg, &listsize); 555 + if (err) 556 + return err; 557 + if (listsize > NFSEXP_XPRTSEC_NUM) 558 + return -EINVAL; 559 + 560 + exp->ex_xprtsec_modes = 0; 561 + for (i = 0; i < listsize; i++) { 562 + err = get_uint(mesg, &mode); 563 + if (err) 564 + return err; 565 + if (mode > NFSEXP_XPRTSEC_MTLS) 566 + return -EINVAL; 567 + exp->ex_xprtsec_modes |= mode; 568 + } 569 + return 0; 570 + } 571 + 548 572 static inline int 549 573 nfsd_uuid_parse(char **mesg, char *buf, unsigned char **puuid) 550 574 { ··· 630 608 exp.ex_client = dom; 631 609 exp.cd = cd; 632 610 exp.ex_devid_map = NULL; 611 + exp.ex_xprtsec_modes = NFSEXP_XPRTSEC_ALL; 633 612 634 613 /* expiry */ 635 614 err = get_expiry(&mesg, &exp.h.expiry_time); ··· 672 649 err = nfsd_uuid_parse(&mesg, buf, &exp.ex_uuid); 673 650 else if (strcmp(buf, "secinfo") == 0) 674 651 err = secinfo_parse(&mesg, buf, &exp); 652 + else if (strcmp(buf, "xprtsec") == 0) 653 + err = xprtsec_parse(&mesg, buf, &exp); 675 654 else 676 655 /* quietly ignore unknown words and anything 677 656 * following. Newer user-space can try to set ··· 687 662 err = check_export(&exp.ex_path, &exp.ex_flags, exp.ex_uuid); 688 663 if (err) 689 664 goto out4; 665 + 690 666 /* 691 667 * No point caching this if it would immediately expire. 692 668 * Also, this protects exportfs's dummy export from the ··· 849 823 for (i = 0; i < MAX_SECINFO_LIST; i++) { 850 824 new->ex_flavors[i] = item->ex_flavors[i]; 851 825 } 826 + new->ex_xprtsec_modes = item->ex_xprtsec_modes; 852 827 } 853 828 854 829 static struct cache_head *svc_export_alloc(void) ··· 1061 1034 1062 1035 __be32 check_nfsd_access(struct svc_export *exp, struct svc_rqst *rqstp) 1063 1036 { 1064 - struct exp_flavor_info *f; 1065 - struct exp_flavor_info *end = exp->ex_flavors + exp->ex_nflavors; 1037 + struct exp_flavor_info *f, *end = exp->ex_flavors + exp->ex_nflavors; 1038 + struct svc_xprt *xprt = rqstp->rq_xprt; 1066 1039 1040 + if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_NONE) { 1041 + if (!test_bit(XPT_TLS_SESSION, &xprt->xpt_flags)) 1042 + goto ok; 1043 + } 1044 + if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_TLS) { 1045 + if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && 1046 + !test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) 1047 + goto ok; 1048 + } 1049 + if (exp->ex_xprtsec_modes & NFSEXP_XPRTSEC_MTLS) { 1050 + if (test_bit(XPT_TLS_SESSION, &xprt->xpt_flags) && 1051 + test_bit(XPT_PEER_AUTH, &xprt->xpt_flags)) 1052 + goto ok; 1053 + } 1054 + goto denied; 1055 + 1056 + ok: 1067 1057 /* legacy gss-only clients are always OK: */ 1068 1058 if (exp->ex_client == rqstp->rq_gssclient) 1069 1059 return 0; ··· 1105 1061 if (nfsd4_spo_must_allow(rqstp)) 1106 1062 return 0; 1107 1063 1064 + denied: 1108 1065 return rqstp->rq_vers < 4 ? nfserr_acces : nfserr_wrongsec; 1109 1066 } 1110 1067

+1

fs/nfsd/export.h

··· 77 77 struct cache_detail *cd; 78 78 struct rcu_head ex_rcu; 79 79 struct export_stats ex_stats; 80 + unsigned long ex_xprtsec_modes; 80 81 }; 81 82 82 83 /* an "export key" (expkey) maps a filehandlefragement to an

+13

include/uapi/linux/nfsd/export.h

··· 62 62 | NFSEXP_ALLSQUASH \ 63 63 | NFSEXP_INSECURE_PORT) 64 64 65 + /* 66 + * Transport layer security policies that are permitted to access 67 + * an export 68 + */ 69 + #define NFSEXP_XPRTSEC_NONE 0x0001 70 + #define NFSEXP_XPRTSEC_TLS 0x0002 71 + #define NFSEXP_XPRTSEC_MTLS 0x0004 72 + 73 + #define NFSEXP_XPRTSEC_NUM (3) 74 + 75 + #define NFSEXP_XPRTSEC_ALL (NFSEXP_XPRTSEC_NONE | \ 76 + NFSEXP_XPRTSEC_TLS | \ 77 + NFSEXP_XPRTSEC_MTLS) 65 78 66 79 #endif /* _UAPINFSD_EXPORT_H */

Configure Feed

Configure Feed